US10523442B2ActiveUtilityA1
Secure inter-service communications in a cloud computing system
Est. expiryAug 21, 2037(~11.1 yrs left)· nominal 20-yr term from priority
H04L 9/3297H04L 9/3247H04L 9/3268H04L 9/3249H04L 9/321G06F 7/582
49
PatentIndex Score
0
Cited by
12
References
14
Claims
Abstract
Secure communications between services or components of a cloud computing system, are facilitated by generating at a first service provided by a first computing entity of a cloud computing system, a request for computing resources, generating at the first computing entity a digital data signature based at least on the request, using a private key associated with the first service; and inserting the digital data signature within an HTTP header associated with the request. A computer data network is used to communicate the request to a second service. The second service extracts the digital data signature and uses a public key to validate the digital data signature.
Claims
exact text as granted — not AI-modifiedWe claim:
1. A method to support secure communications between services or components of a cloud computing system, comprising:
generating using a cloud Application Programming Interface (API) at a first service provided by a first computing device of a cloud computing system, a request for computing resources, said request addressed to a second service provided by a second computing device of the cloud computing system which can provide the computing resources;
generating at the first computing device a digital data signature based at least on the request, using a private key associated with the first service;
inserting the digital data signature within an HTTP header associated with the request;
using a computer data network to communicate the request with signature version information to the second service, the signature version information specifying a version of a signature that was used at the first computing device to generate the digital data signature;
performing the following operations at the second service:
parsing the HTTP header to extract the digital data signature,
retrieving information specifying one or more signature versions which are supported,
determining whether the signature version information corresponds to a signature version that is permitted based on the retrieve information specifying one or more signature versions which are supported, and
using a public key to validate the digital data signature, when a determination is made that signature version information corresponds to a signature version that is permitted; and
complying with the request at the second service only if the digital data signature is determined to be valid, wherein the first and second computing entities comprise at least one electronic processing circuit.
2. The method according to claim 1 , further comprising generating at the first service a pseudorandom nonce value, and communicating the pseudorandom nonce value to the second service together with the request.
3. The method according to claim 2 , wherein the digital data signature is further based on the nonce value.
4. The method according to claim 1 , further comprising generating at the first service a timestamp value corresponding to a date and time when the request was generated.
5. The method according to claim 4 , wherein the digital data signature is further based on the timestamp value.
6. The method according to claim 1 , further comprising communicating from the second service to a central Trust authority server to retrieve the public key.
7. The method according to claim 1 , further comprising computing the digital data signature using one or more algorithm selected from the group consisting of an RSA encryption algorithm and one of the SHA-2 family of hashing algorithms.
8. A cloud computing system which supports secure communications between services or components of a cloud computing system, comprising:
a first service that is provided by a first computing device of the cloud computing system, and that comprises a cloud Application Programming Interface (API) that generates a request for computing resources, said request addressed to a second service provided by a second computing device of the cloud computing system which can provide the computing resources;
the first computing device comprising programming instructions to
generate a digital data signature based at least on the request, using a private key associated with the first service,
insert the digital data signature within an HTTP header associated with the request; and
use a computer data network to communicate the request with signature version information to the second computing service, the second version information specifying a version of a signature that was used by the first computing device to generate the digital data signature;
wherein the second service
parses the HTTP header to extract the digital data signature,
retrieves information specifying one or more signature versions which are supported,
determines whether the signature version information corresponds to a signature version that is permitted based on the retrieved information specifying one or more signature versions which are supported,
uses a public key to validate the digital data signature when a determination is made that the signature version information corresponds to a signature version that is permitted, and
complies with the request only if the digital data signature is determined to be valid.
9. The cloud computing system according to claim 8 , wherein the first service further generates a pseudorandom nonce value, and causes the pseudorandom nonce value to be communicated to the second service together with the request.
10. The cloud computing system according to claim 9 , wherein the digital data signature is further based on the nonce value.
11. The cloud computing system according to claim 8 , wherein the first service further asserts a timestamp value corresponding to a date and time when the request was generated.
12. The cloud computing system according to claim 11 , wherein the digital data signature is further based on the timestamp value.
13. The cloud computing system according to claim 8 , wherein the second service further communicates with a central Trust authority server to retrieve the public key.
14. The cloud computing system according to claim 8 , wherein the first computing device further computes the digital data signature using one or more algorithms selected from the group consisting of an RSA encryption algorithm and one of the SHA-2 family of hashing algorithms.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.